Well, it has happened again. One of my credit cards has been used to make unauthorized purchases. I was contacted about a month ago by my issuing bank to inform me of suspicious purchases at a grocery store and restaurant in Arizona. I presumed (incorrectly) that because I live in North Carolina and did not make any airline ticket purchases or show a pattern of purchases that would lead them to believe that I was in Arizona, the card issuing bank became suspicious and contacted me. Once I informed them that I did not make the purchases and that the card was still in my possession, they immediately canceled the account and issued me a new card. I was impressed with their monitoring system that was able to detect this fraud so quickly. I discovered later that the bank was not as proactive as I had assumed.

This is not the first time this has happened to me. A couple of years ago this same card was used to make fraudulent purchases on a web site. In that case, I notified the bank of the fraudulent transaction after seeing it on my statement. I never did figure out how my card information was obtained during that incident, but something interesting happened recently that I believe explains how the criminals got a hold of my card data this time. It also explains how the bank noticed the unauthorized charges so quickly.

A few days ago I received a letter in the mail from a major hotel chain stating that they had suffered a breach and that my credit card information had been stolen. I only stayed at this particular hotel once about two and half years ago and I used this credit card to pay for the room. According to the letter, a “sophicated hacker” had gained access to the computer systems of one of their franchises and was able to access “customer transaction files at a number of other hotels” to obtain credit and debit card data. Aha. Given the timing of the incidents it seems probable that the fraudulent transactions were a result of this breach.

To the hotel’s credit, they did at least have some detective controls in place that discovered the breach and appropriately alerted both the payment card companies as well as affected customers. This is how my issuing bank detected the fraudulent charges so quickly. They had a heads up. However, the hotel was clearly not in compliance with the PCI DSS. Credit card data is supposed to be encrypted when stored, which would have prevented the hacker from being able to read this sensitive information. And if it was encrypted, then they did not properly manage the encryption keys, which again, is a violation of the PCI DSS.

One of the most important things for any company that stores sensitive information, such as credit card data, to do is implement controls to delete such data after a certain period of time. There is no reason to store credit card data for two and half years, especially if there is not a recuring transaction. By limiting the amount of sensitive data that is stored to the absolute minimum necessary for business purposes, a business can reduce its risk and mitigate the resulting damage in the event of a security breach. No doubt this hotel chain is spending much more on cleaning up after this incident than it would have had it followed this advice.